On 64-bit Windows 7 Professional with IE 11, there are two IE 11 updates: Security Update for IE 11 - KB2936068 (MS14-018) as mentioned in the article and Cumulative Security Update for IE 11 - KB2929437. The fact that the latter is not selected by default in Windows Update and Microsoft's description mentions "hotfixes" suggests to me that I should not install this yet. Any thoughts?

Same here on my Win7 x64 with IE11. I assume Susan missed it or did not get it before the article was written. Be nice to have an update/comment/advice ASAP as it may be needed despite its 'enhancements included' parts.

In an earlier column (12/19/13) Susan suggested changing the proxy server settings for PCs still running XP. What is interesting is that while it does block me from browsing the internet with any browser, it did connect to Windows Update for this last group of patches. Norton Live Update also connected. Anyone know what exactly is still open to the outside (and therefore trouble) when you use her recommendation?

@jrp2706: It was not mentioned in the Patch Tuesday pre-announcement from Microsoft so I guess that people did not expect it. It doesn't have a MS14-nnn designation either which suggests that it was added at the last minute. It is very naughty of Microsoft to bundle in a lot of new functionality with a so-called security fix though!

The Following User Says Thank You to SusanBradley For This Useful Post:

The filippo.io site's tool does not run in my Firefox Browser under Ubuntu Linux 13.10, returning errors like "broken pipe" for nearly any URL I tested. I patch my Linux daily.

Mozilla Products and Ubuntu Linux itself use different SSL implementations. Not OpenSSL in most cases. GNU-TLS which has been patched and Mozilla's own SSL implementation which may never have been vulnerable, do not suffer from the Heartbleed vulnerability currently. Mozilla means Firefox and Thunderbird primarily.

Due to these and other differences, if you've been using Linux on the Web, you may have been less vulnerable. But your websites have remained just as vulnerable.

You should change your passwords for this reason, not because your own desktop Linux system may have been leaking through your own SSL connections. The websites themselves probably used internal SSL which was vulnerable.

Same outcome, but different implications for transmission of personal information.

Fastmail, one of my email providers, did post a recommendation to change passwords. Yahoo and GMail have not done so. So go figure -- or change passwords every 30 days as countless security experts have been nagging us all to do. If you want to only remember one strong password, consider using the free KeepassX (https://www.keepassx.org/) password manager, which is fully portable and fully cross-platform, even for tablets. This is not the same program as Keepass for Windows only.

Mozilla Products and Ubuntu Linux itself use different SSL implementations. Not OpenSSL in most cases.

It’s important to note that multiple versions of Ubuntu are affected, including Ubuntu 12.04 LTS, Ubuntu 12.10, Ubuntu 13.10, so it’s imperative that you ensure that the version your running is safe, and that you update to one that is if it’s exposed to the flaw. Here’s how,

It’s important to note that multiple versions of Ubuntu are affected, including Ubuntu 12.04 LTS, Ubuntu 12.10, Ubuntu 13.10, so it’s imperative that you ensure that the version your running is safe, and that you update to one that is if it’s exposed to the flaw. Here’s how,

These are very important distinctions for Linux users. Thank you for assembling the relevant information.

Yes, the Linux ways of handling secure communications can be different from the Windows ways. So different results occur when testing for vulnerabilities. And, if we test a URL after it has been patched, the test will no longer show the vulnerability. Which tells us nothing of whether the site was ever vulnerable in the past. These are important points which I feel were largely lost in the uproar over Heartbleed in the tech press, including here in Windows Secrets Newsletter.

The inability to gather historical data abouit a site's past vulnerability to Heartbleed makes a site like filippo.io of very limited use now. Using the site to decide where one needs to change passwords now, is almost as effective as closing the barn doors after the horses have run away. But if a URL is still vulnerable, this should show up in the tests. So if a URL still tests as vulnerable, changing a password for that site would still be premature. And the site operator(s) should get busy patching their servers!

I do patch my Ubuntu daily or every few days, as these patches never result in instabilities and seldom require a system restart. So if Ubuntu was ever vulnerable, I got patched as soon as patches were available. My email client, Claws Mail for Linux, may have been a bit slower to upgrade. The rapid availability of security patches in Linux is another point often overlooked by the tech press.

GNU-TLS had a separate long-standing security flaw, which was patched earlier this year.

Just to be safe, I think everyone, including Linux users, should assume at least some of our secure communications over the Web have at some point been vulnerable to exploits like Heartbleed. We should change all important passwords and consider using a good, cross-platform password manager like KeepassX. Thus allowing us to use unique, strong passwords at each site, and to change our passwords every 30 days. That's what security experts have been telling us for years, no matter what OS or software we use.

My guess is that by the third week of April 2014, most if not all sites which are going to patch will be patched. Am I assuming too much?